REMARKS 

Please reconsider the present application in view of the above amendments and 
following remarks. Claims 1-6, 8-11, 14, 15, 17-20, and 23-26 are currently pending. By 
way of this Amendment and Response, claims 1, 5, 6, 8, 9, 14, 15, 17, 18, 24, and 26 have 
been amended, and no claim has been added or canceled. Claims 1-6, 8-1 1, 14, 15, 17-20, 
and 23-26 are pending upon entry of this amendment. Applicants thank the Examiner for 
carefully considering the present application. 

Response to Rejection Under 35 USC $ 102 and 103 

In paragraph 2 of the Office Action, the Examiner rejected claims 1-3, 5, 8, 9, 11, 14, 
17, 18, 20, and 23-26 under 35 U.S.C. 103(a) as allegedly being unpatentable over U.S. 
Patent Application Publication Serial No. 2003/0 1 0 1 355 to Mattsson ("Mattsson") in view of 
U.S. Patent Application Publication Serial No. 2003/0167229 to Ludwig, et al. ("Ludwig"). 
In paragraph 3 of the Office Action, the Examiner rejected claims 4, 10, and 19 under 35 
U.S.C. 103(a) as allegedly being unpatentable over Mattsson in view of Ludwig and further 
in view of an article titled "DIDAFIT: Detecting Intrusions in Databases through 
Fingerprinting Transactions" by Low, et al. ("Low"). In paragraph 4 of the Office Action, 
the Examiner rejected claims 6 and 15 under 35 U.S.C. 103(a) as allegedly being 
unpatentable over Mattsson in view of Ludwig and further in view of U.S. Patent Application 
Publication Serial No. 2005/0097149 to Vaitzblit, et al. ("Vaitzblit"). This discussion 
combines these rejections in order to simplify the issues. 

Independent claim 1 has been amended to now recite the following: 

Apparatus for empirically adjusting a user's authorized access to a database, said 
apparatus comprising: 

Case 08590 (Amendment D) 

U.S. Serial No. 10/802,646 8 

20423/08590/DOCS/1922451.2 



coupled to the database, a database discovery module configured to determine 
database structure and the user's authorized access to the database, the user's 
authorized access including a set of authorized database tables and authorized 
columns; 

coupled to the database, a command monitoring module configured to monitor the 
user's actual accesses to the database until a preselected quantity of actual 
accesses have been observed, the user's actual accesses including a set of 
accessed database tables and accessed columns; and 

coupled to the database discovery module and to the command monitoring 

module, an analysis module configured to compare the user's actual accesses 
with the user's authorized access and configured to adjust the user's 
authorized access taking into account results of the comparing by 
changing settings within a database access control module to deny the 
user future database access to an authorized database table or an 
authorized column that is not in the set of accessed database tables and 
accessed columns. 

(emphasis added) 

Thus, independent claim 1 beneficially recites an apparatus for empirically adjusting 
a user's authorized access. The apparatus compares the user's authorized access with the 
user's actual accesses, and adjusts the user's authorized access to selectively deny the user 
future database access to certain database tables or columns, those that the user was 
authorized to access but did not access. This technique is useful in restricting loosely 
granted database access to reduce the possibility of database intrusion. Independent claims 
5 and 14 recite similar limitations. 

The cited references, Mattsson, Ludwig, Low, and Vaitzblit, either alone or in 
combination, fail to disclose the claimed invention. Mattsson discloses a database intrusion 
detection system that uses item access rates and inference patterns to detect intrusions. If a 
user query activity is within his permitted item access rate, yet his accumulated query results 
match a relevant inference pattern, then the Mattsson system classifies the related query 
activity as an intrusion. See Mattsson, paragraph [0044]. 
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Mattsson does not teach adjusting "authorized access" as claimed. The examiner 
cited paragraphs [0037-39], [0042-46], and [0052] for teaching of corresponding limitations 
before the present amendment. These paragraphs disclose that the Mattsson system has an 
intrusion detection module that compares query results with item access rates and inference 
patterns to detect intrusions, and that if an intrusion is detected then an access control system 
is alerted and the query results are not transmitted to the requesters. Nowhere in Mattsson 
does it teach or suggest selectively denying a user's future database access to certain database 
tables or columns, those that he was authorized to access but did not access. 

Ludwig similarly fails to teach the above-cited claim features. Ludwig discloses a 
business platform for payment transactions and is not related to adjusting user access to 
databases. The Examiner cited paragraph [005 1] of Ludwig for teaching "denying future 
database access to operations by certain users on database tables and columns that were 
previously authorized but not observed by the command monitoring module" as previously 
recited in claim 1 . Paragraph [005 1] discloses methods to verify the identity of a user, 
including periodically changing passwords and expiring inactive user accounts. None of 
these involves selectively denying a user's future database access to certain database tables 
or columns, those that he was authorized to access but did not access. 

Low and Vaitzblit also fail to disclose the above-cited claim features. Low discloses 
a database intrusion detection system that fingerprints SQL statements in order to detect 
illegitimate accesses. Vaitzblit discloses a database audit system used to monitor, and 
optionally alert on database activity. Neither of the two references teaches or suggests 
selectively denying a user's future database access to certain database tables or columns in 
the manner claimed. 
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In view of the above, Mattsson, Ludwig, Low, and Vaitzblit, whether considered 
individually or in combination, fail to disclose each and every limitation recited in 
independent claims 1,5, and 14. Thus, independent claims 1,5, and 14 are patentable over 
Mattsson, Ludwig, Low, and Vaitzblit. Dependent claims are allowable for at least the 
same reasons. Accordingly, withdrawal of the § 103 rejections is respectfully requested. 

Summary 

In sum, Applicants respectfully submit that claims 1-6, 8-11, 14, 15, 17-20, and 23- 
26, as presented herein, are patentably distinguishable over the cited references. Therefore, 
Applicants request reconsideration of the basis for the rejections to these claims and request 
allowance of them. 

Should the Examiner wish to discuss the above amendments or if the Examiner 
believes that for any reason direct contact with Applicants' representative would help to 
advance the prosecution of this case to finality, the Examiner is invited to telephone the 
undersigned at the number given below. 

Respectfully Submitted, 
HARLAN SEYMOUR ET AL. 

Date: June 9. 2008 By: /Jie Zhang/ 

Jie Zhang, Reg. No.: 60,242 
Fenwick & West LLP 
801 California Street 
Mountain View, CA 9404 1 
Phone: (650) 335-7297 
Fax: (650) 938-5200 
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